Shadow Talk Update – 03.05.2018

On this week’s Shadow Talk podcast, the Research Team cover CVE-2018-4878 being used in a spam campaign, the HTTPS certificate chaos between Trustico and DigiCert, more ransomware reporting on the SamSam and DataKeeper variants, and the threat of large-scale distributed denial of service (DDoS) attacks using Memcached servers.

Spam enables Flash vulnerability exploit

An Adobe Flash vulnerability tracked as CVE-2018-4878 is being exploited through a spam email campaign. Lure emails contained a shortened link that, if clicked, accessed a Web domain hosting weaponized Microsoft Word documents. If documents were opened, the attack attempted to exploit the vulnerability, enabling remote code execution. CVE-2018-4878 was previously exploited as a zero-day vulnerability in targeted espionage; the spam campaign shows its rapid uptake by other threat actors. Proof of concept exploit code was released publicly, meaning CVE-2018-4878 will likely continue to be targeted by operations using multiple entry vectors, despite a patch being available.

Thousands of website certificates revoked after private key exposure

23,000 Symantec-issued HTTPS website certificates resold by Trustico will be revoked after associated private keys were exposed via email. This may result in website service interruptions unless owners quickly replace certificates. Affected customers were notified, with both DigiCert – the entity responsible for revoking the certificates – and Trustico offering free replacement certs. Although both DigiCert and Trustico are likely to suffer some reputational damage due to conflicting reporting and their public dispute, this is unlikely to impact trust in the certification system.

Update on SamSam ransomware attack

The Colorado Department of Transportation, in the United States, took 2,000-plus staff computers offline after an attack by ransomware “SamSam”. No crucial systems were reportedly affected, and only computers running Windows operating systems were disrupted. The attack vector is not known, but SamSam usually targets vulnerable software applications or servers. The “Gold Lowell” threat group has previously used SamSam and accrued a significant profit from attacks.

New DataKeeper ransomware variant detected

The “DataKeeper” ransomware-as-a-service (RaaS) variant is distinct for its ability to conduct lateral movement. At the time of publication, there had been no transactions into the Bitcoin address associated with this RaaS, indicating that any attempted extortions using the address were ineffective. However, given its accessibility, profit share and capacity for lateral movement, this ransomware will likely be adopted by a variety of actors.

Memcached servers used for DDoS reflection attacks

There is a new DDoS reflection attack method that uses Memcached internet-facing servers. Memcached is a memory caching system that, by default, “listens” on UDP port 11211. More than 90,000 of these servers were discovered on Internet of Things search engine, Shodan, as of 28 February. The code repository site GitHub was targeted by this method, with the peak attack volume recorded at 1.35 terabits per second. Blocking, filtering or modifying Memcached configuration to only listen on localhost is recommended.